Security

Isolated environments with audit evidence

OpsDesk runs on dedicated Cloudflare infrastructure per customer. Operators authenticate through Spot Suite OIDC; directory access uses separate admin-consented connections.

  • Spot Suite OIDC

    Operators sign in through Spot Suite OIDC with Microsoft Entra ID, passkeys, or authenticator-app MFA. End users never sign in to OpsDesk.

  • Dedicated isolation

    Each customer gets a dedicated Cloudflare Worker, D1 database, and storage. Data is tenant-scoped — no shared runtime between customers.

  • Regional data residency

    Your Customer Environment is provisioned in your chosen region — the EU by default (Cloudflare Workers with D1), with US and other regions available. Spot Cloud B.V. is the legal entity.

  • Secrets handling

    Microsoft Graph credentials are stored as Worker secrets. Google service-account keys sit in KV, scoped per tenant.

  • Audit logging

    Every joiner, mover, and leaver action records actor email, outcome, and timestamp. Export the log for ISO 27001:2022 A.5.16 and A.5.18 access-rights reviews.

  • Provider connections

    Microsoft Graph requires admin consent on the Entra tenant. Google Workspace requires domain-wide delegation. These are separate from operator OIDC sign-in.

Posture

What's enforced, in one view

Tenant isolation, authentication, and the audit trail — the controls a reviewer asks for, summarised.

  • Legal entity Spot Cloud B.V.
  • Compliance ISO 27001 baseline + region-specific frameworks
  • Operator auth Spot Suite OIDC (Entra ID, passkeys, MFA)
  • End-user access None — employees never sign in
  • Infrastructure Dedicated Worker, D1, storage per tenant
  • Data residency Your region — EU default; US & others available

See the activity log in a demo

Walk through joiner, mover, and leaver actions with recorded actor, outcome, and timestamp.